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Abstract —For physical-layer authentication, the authentication 
tags are often sent concurrently with messages without much 
bandwidth expansion. In this paper, we present a channel coding 
approach for physical-layer authentication. The generation of 
authentication tags can be formulated as an encoding process 
for an ensemble of codes, where the shared key between Alice 
and Bob is considered as the input and the message is used to 
specify a code from the ensemble of codes. Then, we show that the 
security of physical-layer authentication schemes can be analyzed 
through decoding and physical-layer authentication schemes can 
potentially achieve both information-theoretic and computational 
securities. 

Index Terms —Physical-layer authentication, channel cod¬ 
ing, decoding complexity, computational security, information- 
theoretic security. 

I. Introduction 

ESSAGE authentication codes (MACs) are crypto¬ 
graphic primitives used extensively in the construction 
of security services, include authentication, nonrepudiation, 
and integrity. Basically, message authentication is to ensure 
that an accepted message truly comes from its acclaimed 
transmitter. When the transmitter intends to send a message, 
it also generates a MAC, which is a function of the message 
and a shared key, known only to both the transmitter and the 
receiver. The generated MAC is often appended to the message 
m . At the receiver, a MAC is computed from the received 
message and compared to the MAC that is transmitted. If the 
two MACs are identical, then the transmitter is identified as 
a legal user and it is highly likely the received message is 
exactly equal to the one transmitted. 

MAC algorithms can be constructed from other crypto¬ 
graphic primitives, such as cryptographic hash functions or 
from block cipher algorithms. Currently, the security of MAC 
algorithms rely on the hardness of hush functions, i.e, given 
the message and its MAC, it is “hard” to forge a MAC on a 
new message. 

As the development of mobile communications, ensuring 
security of wireless communications has becoming increas¬ 
ingly important. Openness of wireless networks makes them 
vulnerable to spoofing attacks where an unauthorized user 
masquerades as another legitimate user. Although conventional 
cryptographic security mechanisms can be used to foil such 
attacks above the physical layer El, 0. However, it was 
believed that more efforts should be done to prevent potential 
innovative attacks since the wireless medium offers novel 
avenues for intrusion. In recent years, there has been various 


efforts Ha-El in authenticating the sender and receiver at 
the physical layer, based on prior coordination or secret 
sharing, where the sender is authenticated if the receiver can 
successfully demodulate and decode the transmission. Among 
various reported works, it was commonly observed that the 
physical properties of the wireless medium are a powerful 
source of domain-specific information that can be used to 
complement and enhance traditional security mechanisms lH. 

In 161, a physical-layer authentication scheme was proposed, 
in which MACs, along with messages, are transmitted con¬ 
currently over the physical layer. Compared to the traditional 
transmission approach above the physical layer, the authors 
claims the possibility of information-security due to the in¬ 
troduction of the noise. However, this is not justified in a 
rigourous way. 

In this paper, we provide a channel coding approach for 
physical-layer authentication. Our contributions include two 
aspects. Eirstly, the computational security can be expressed 
as the requirement for decoding complexity. Secondly, the 
information security can be formulated for physical-layer 
authentication schemes using the standard techniques for a 
converse proof of channel coding theorem fSl . 

Throughout this paper, upper case letters (e.g., X ) will 
denote random variables, lower case letters (e.g., x) will 
denote realizations of the corresponding random variables, and 
calligraphic letters (e.g., X) will denote finite alphabet sets 
over which corresponding variables range. Also, upper case 
boldface letters (e.g., X ) will denote random vectors whereas 
lower case boldface letters (e.g., x) will denote realizations of 
the corresponding random vectors. 

II. A Coding Eormulation of Physical-Layer 
Authentication 

A. Physical-Layer Authentication 

Suppose that Alice and Bob agree on a keyed authentication 
scheme that allows Bob to verify that the messages he receives 
are from Alice. In order to authenticate, Alice sends an 
authentication tag (or a MAC), along with a message, for 
declaring his identity. We call the transmitted signal under 
this scheme as the tagged signal. 

Eormally, Alice, as the sender, wants to transmit the au¬ 
thentication tag T together with the message S so Bob (as 
the receiver) can verify her identity. In general, the tag is a 
function of the message S and the secret key K 

T = t{S,K), 



( 1 ) 
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where t : S x K. ^ T is a (hash) function. 

In order to focus on the essential ideas, we assume here 
that both the message S and tag T can be denoted as binary 
random vectors with BPSK modulation. In what follows, we 
do not discriminate between binary and bipolar vectors, as it 
can be well understood from the text. 

Often, the tag is a short string computed on the message S 
to be authenticated and the shared secret key K. Let Ls,Lk, Lt 
denote the length of the message S, the key K and the tag T, 
respectively. In practice, Lg ^ Lt- Here, we always assume 
that Lg = QLt, where Q is a large integer. 

The tag is padded to the message and simultaneously 
transmitted. The tagged signal (in a discrete column vector 
form) can be written as 

U = PgS + pttq, (2) 

where 0 < Ps,pt < I, pi + Pt = 1, and t, = tp{t) is a 
modulation process for modulating a binary tag string t into 
the physical discrete-signal vector tg, which is chosen to meet 
E[s^tq] = 0 Ih). Hence,we can interpret pi and pi as energy 
allocations of the message and tag, respectively. 

Essentially, for concurrent transmission of both message and 
tag, the bit string of a tag should be transmitted with a much 
lower rate (^) than the message symbol rate. In 0, the Haar 
wavelet is employed for modulating tags. In this paper, we, 
however, assume a simple repetition function of namely, 
each component of t is repeated Q times, which means that 

^(f) 7^17^2)*** 7^2;*** ■ (3) 

This is employed for ease of analysis. 

By assuming an additive white Gaussian noise (AWGN) 
channel model, the received signal vector at Bob can be written 
as 

r = u -f z, (4) 


where each codeword Cfc(s) = r (s, k) is indexed by a possible 
key k € /C with k — 1 = K(k) denoting the decimal number 
expression of the binary vector k. There are |/C| = 2^'“ 
codewords. Now, the code rate of C(s) can be defined as 

Rc = (7) 

Consider that Alice wants to authenticate with Bob, she 
normally sends a message s, and then a tag Cfe(s) = r (s, k) is 
generated using the shared key k. Equivalently, the generation 
of the tag for a given message s can be considered as an 
encoding process of 

r(s,-):/C^r. (8) 

As the message s is generated according to a finite message 
set S, one have to consider an ensemble of codes H(C) = 
{C(s) : s G 5}, which is of fixed rate Rc- 

This ensemble of codes r2(C) is revealed to both Alice and 
Bob. Erom a standard cryptographic view, this code ensemble 
is also revealed to Eve. 

Definition 1: The minimum Hamming distance of the code 
ensemble H(C) can be defined as 

dmin = minmind/r (r(s, k), t(s, k) ) , (9) 

se-S k 52 k ^ ^ 

where d//(ci, C 2 ) denotes the Hamming distance of two binary 
vectors Ci and C2. 

Now, the task of physical-layer authentication can be for¬ 
mally formulated as a hypothesis testing problem as follows. 

Jit Bob decides if y is from Alice or not by assuming that 
s, k, t(-, •) are available; 

4|k Eve tries to retrieve k from y by assuming that 
s, r(-,') are available. 

III. Hypothesis Testing 
A. General Formulation 


where z is assumed to an AWGN vector. 

As 1^1 ^ 1 and the signal-to-noise ratio (SNR) is 

sufficiently high, the transmitted message is assumed to be 
completely recoverable (often enhanced by error-correcting 
codes) for both Bob and Eve. Therefore, one can assume that 
the transmitted signal vector s is known to both Bob and Eve. 

When s is available at the receiver, it can cancel the message 
from the received signal samples and the message-free version 
of a tag can be retrieved which takes the form of 

y = x-i-w, (5) 

where x = t and w is the zero-mean additive white Gaus¬ 
sian noise vector with variance and 

7 ( denotes the signal-to-noise ratio (SNR) observed by the 
authentication tags. 


B. A Coding Formulation 

Given a message s G 5, it is possible to generate a code 
C(s), which comprised of 2^*^ codewords, namely. 


To complete the authentication process. Bob requires to 
verify that whether the response signal y is from Alice or 
not. If the response signal is not from Alice but Eve (an 
impersonation attacker), it is assumed that Eve generates 
length-Lfe binary random vector ks for authentication as there 
is no any information about kA(= ks) available. Essentially, 
this is cast as a binary hypothesis testing problem: 

Ho : K = kB ( 10 ) 

Hi : K = kE (11) 


where K denotes the acknowledged key. 

Hypothesis testing is the task of deciding which of two 
hypotheses. Hi or Hq, is true, when one is given the value u 
of a random variable U (e.g., the outcome of a measurement), 
namely, U = u. In our case, U = {Y,K), u = (y, k^). We 
begin with the formulation of the optimum binary hypothesis 
testing, i.e.. 




log 

log 


PHq {U = u) ^ p{y,K ^ ks) 
PHi (U = u) p{y)p{K = ks) 

_ p{y\K = kg)_ 

SkejP^"-'= = k)p(7T = k)' 


( 12 ) 


C(s) = {ci(s),--- ,C 2 is,(s)}, 


( 6 ) 


(13) 
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We point out that in the case of Hi, the generation of the 
message and key is independent to each other as there is no 
means to efficiently gauss the key. 

As the message s is assumed to be available, it is clear that 


p(y|k) cx exp 


(y-t)t(y-t) - 

20-5, 


(14) 


with t = t(s, k). 

In general, this binary hypothesis testing problem in its 
optimum form can not be easily tackled as it requires to 
enumerate 2^ binary vectors of k with a priori uniform 
distribution. However, its performance can be information- 
theoretically bounded ||9l, which is summarized as follows. 


B. Detection Probability vs. False Alarm Probability 

Let Pq = 1 — a be the detection probability, namely, 
the probability of successful declaration of Hq when Hq is 
actually true, and P/ = /3 be the false alarm probability, 
namely, the probability of false declaration of Pq when Hi is 
actually true. 

Let the function d{a, /3) be defined by 

d{a,/3) =a\ogj^ + {l-a)log^-^. (15) 

With optimal hypothesis testing (fl^ . its detection probabil¬ 
ity and false alarm probability are closely connected. 

Lemma 1: jj] The detection probability 1 — a and the false 
alarm probability fd satisfy 

d(a,/3) < Dkl (p(y,kB)||p(y)p(kB)) =I(Y;K) (16) 


where zq = cfwi. We denote its mean and variance as 

m - E{'q\Hii} = Lt, 

^ War{r,\Ho} = LaiK ( 20 ) 

By decomposing the hypothesis Hi into a series of sub¬ 
hypothesises : Hi, S = s, K = ks}, i.e., by further as¬ 

suming that the transmitted signal is s and Eve impersonates 
Alice using the key k^, we have 


r]\Hf = Lt- 2dH (t(s, ks), r(s, k^)) -f 2:1, (21) 

where zi = cfwi. Then, 

?7i''=P{ry|Pi,s, ks} = Lt - 2dH (t(s, ks), r(s, k^)) , 
CTBjfe = Var{ ?71 Pi, s,kB} = (22) 

It is clear that ?7|Po ~ ^ 

The authentication is typically claimed if 77 > p. The thresh¬ 
old g of this test is determined for a false alarm probability jd 
according to the distribution of rylPi 


Q = argminPs^kE 
q' 


Q 


q' - vf 

GhsU 


where 


Q{x) = 


1 


bilit 

Pd = Q 


P 


>/3, 

(23) 

dt. 

(24) 


The detection probability can be simply computed as 

' Q-V o' 

<^Ho 


(25) 


where I (V ; K) denotes the mutual information between two 
random variables Y and K, and 

L»iVL (/(x)I | 5 (x)) = ^/(x) log (17) 

for two probability distributions f{x),g{x). 

C. A Suboptimal Solution 

As the optimum hypothesis testing is difficult to implement, 
we propose to use a simple test statistic 

V = CbY, (18) 


IV. A Decoding Approach for Security Analysis 

For a physical-layer authentication system, we can char¬ 
acterize it using a quadruple {5,/C, H(C),p(y|x)}. In this 
paper, we always assume a memory-less channel and hence, 

p(y|x) = 

A. Adversary Model 

Eve, as the adversary, is an aware receiver and knows the 
authentication scheme that Alice and Bob are using. However, 
she does not know the shared secret key between Alice and 
Bob. She can be a passive attacker or active attacker. As an 
active attacker. Eve can perform impersonation attacks. 


and C, is further compared to a threshold value g for making 
a final decision, where cb = t(s, k^) is the codeword due to 
the input of ks at Bob. 

This approach can be viewed as a code acquisition approach 
encountered in code-division multiple-access (CDMA) com¬ 
munication systems, where cb can be considered as a unique 
PN code, which is available at the sides of both Alice and 
Bob, but keeps unknown to any potential attacker. 

In both hypotheses, p is the sum of Lt normally distributed 
random variables, which is still normally distributed. There¬ 
fore, it suffices to compute its mean and variance. 

In the case of hypothesis Hq, one can show that 

(19) 


B. Passive Attacks: A Decoding Approach for Recovery of Key 
As a passive attacker. Eve only monitors all frames inside 
the network during authentication, and tries to learn kg from 
whatever it gets. 

Firstly, we consider the noiseless setting as in a classic 
authentication application above the physical layer, in which 
Eve can directly acquire the signal s and the tag y = r(s, kg). 
Given s and if the encoding rule 

r(s,-) :/C^r 

is a bijection. Eve can recover the key k by generating a 
lookup table of size 2^*= and searching over this table for 
finding the key k^, which admits y = r(s,kB). 


pliTo = Lt + zo, 
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In the language of coding, it means that the recovery of 
key can be considered as decoding of the received signal V 
to its maximum possible encoding input K{Y). Given s, if 
any decoder K{Y) is of computational complexity 0(2^'=), 
we claim that the computational security can be achieved for 
this authentication system. 

Definition 2: (Computational security) Given a physical- 
layer authentication system n(C),p(y|x)}, we claim 

that this system is computationally secure if for any decoder 
K{Y), its computation complexity is of 0(2^'“). 

For ensuring computational security, it requires that no any 
efficient decoding algorithm exists for any code C(s) G 17 (C). 
Since the publication of Shannon’s original paper in 1948, the 
search of the codes for achieving the channel capacity has 
come a long way. Currently, linear codes and their efficient 
decoding algorithms have been extensively studied. Therefore, 
for construction of a good physical layer authentication sys¬ 
tem, linear code ensembles should be better avoided as their 
complexity can often be reduced due to the linearity of codes. 

In the classic authentication scenarios. Eve can observe 
several pairs of (message,tag), namely, {si,ti = T(si,k)),* = 
1, • • • ,1. For computational security, it means that Eve is still 
hopeless for getting an estimate of k with many observation 
pairs In the language of coding, this can be well 

justified as each pair reflects an codeword of C{si). 

If Si ^ Sj, ti and tj reveal the structure of two different 
codes, i.e., C{si) and C{sj). 


authentication, the best possible decoding probability with 
ML decoding for a potential eavesdropper can now be lower 
bounded with the Shannon’s 1959 sphere-packing bound. 

Lemma 2: (The 1959 Sphere-Packing Lower Bound ifTOl ') 
For a physical-layer authentication system, characterized by 
the quadruple {5,/C, f2(C),p(y|x)}. Let a message s G 5 be 
sent, and the authentication tags are assumed to be transmited 
over a Bi-AWGN channel with the signal-to-noise ratio of 74 . 
For any decoder K, it is clear that K t(s, K) X ^ 
Y ^ K form a Markov process. Let = Pr(iT K), we 
have that 

Pe > PsPB {Lt, 0, 7t) , 

where 

PsPB = QW‘^Ptlt) ^ - 

yZTT 

_ 

Je 

and 6 G [ 0 , 7 r] satisfies the inequality with 

Lt-l Q 

) do 


Secondly, we consider the noise setting, as seen in the 
physical-layer authentication scenarios. 

Definition 3: Let the binary codeword c G C, which is 
further modulated with x(c) and transmitted over the channel 
p(y|x), the received vector y G 72.^*. A maximum-likelihood 
(ML) decoding algorithm decodes the vector y into a code¬ 
word c, such that 

c = maxp(y|x(c)) . (26) 

c^C 

Definition 4: (ML recoverable) Given y G 72^* and s, 
where y = t(s, k) -f w. For an ML decoder k(y), we mean 
that 

k = maxp(y|k, s). (27) 

k€/C 

If Pr(k k^) = 0, we claim that the authentication key is 
ML recoverable. 


In what follows, we consider a binary-input continuous- 
output AWGN channel (Bi-AWGN). Its capacity C 2 (jt) is a 
function of the signal-to-noise ratio 74 , which can be explicitly 
expressed as 


C2(7t) = 


1 - 


J- 


/ oo 

e-(y-^)^/2iog^(l + e-^/^y)dy 

-00 


where {3 = i/ 2 ^. 

The SP59 bound of Shannon ifTOl provides a lower bound on 
the decoding error probability of block codes transmitted over 
the AWGN channel. With a coding approach for physical-layer 


The SP59 bound is exponentially increased with the block 
length and the exponent is strictly negative for all Rc > 
C 2 ( 7 t), it become clear that above capacity the minimum 
probability of error goes to 1 exponentially fast with the block 
length. Hence, one can achieve the information security for 
physical-layer authentication, which, however, not the case for 
classic authentication. 

Lemma 3: (Information security) Given a physical-layer 
authentication system {5, /C, H(C)} over an AWGN channel of 
the SNR 74 , we claim that this system can achieve information 
security if Rc > when L 4 —?> 00 . 

Numerically, we’ll show that the decoding error probability 
can go to 1 even with short block length if the signal-to-noise 
ratio 74 is sufficiently low. 


C. Impersonation Attacks 

In a so-called impersonation attack at time i , the 
adversary (Eve) waits until he has seen the ciphertexts 
( 82 , 62 ),-•• , (which he lets pass un¬ 

changed to the receiver) and then creates and sends a fraudu¬ 
lent ciphertext ( 84 , 64 ) which he hopes to be accepted by the 
receiver as the ith ciphertext. 

Essentially, Eve’s strategy is to maximize the false accep¬ 
tance rate by selecting a suitable message 84 and a key k^;, 
namely. 


max E{r]\Hi,Si,kE}. (28) 
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Equivalently, this means 

min dH {T{si,kB),T{si,kE)), (29) 

as shown by (ISTT l. 

Lemma 4: In order to minimize the false acceptance rate 
of an impersonate attacker, the minimum Hamming distance 
of the code ensemble Ll{C), namely, dmin (H(C)), should be 
maximized. 

V. Numerical Example 

Consider a physical-layer authentication system, in which 
binary key is of length Lk = 128 and the authentication 
tag is of length Lt = 256. To attack this physical-layer 
authentication system, a potential eavesdropper tries to do her 
or his best to decode the key. As one can consider the block 
codes of rate Rc over a Bi-AWGN channel of the SNR 74 , the 
equivalent Eb/No can be defined as Eb/No = R~^jf 



Fig. 1. Sphere-packing low bound on the decoding error probability and 
detection probability (or successful authentication rate) versus E^/Nq. 

Fig.IU shows the SP59 bound on the decoding error prob¬ 
ability and detection probability (successful authentication 
rate) for different Eb/Ng’s. As the eavesdropper cannot do 
better than a ML decoder, the SPB bound provides an over¬ 
estimate of its capability on guessing the key. As shown, the 
eavesdropper becomes hopeless in guessing the key when¬ 
ever Eb/No is below to about -1 dB as the decoding error 
probability is around 1. However, the authentication system 
does work well with almost perfect successful authentication 
rate. In simulations, the threshold is set so as the false alarm 
probability is lower than 0 . 01 . 

VI. Conclusion 

We propose a channel coding approach for physical layer 
authentication. With this new approach, the computational 
security for classic authentication schemes can be well for¬ 
mulated using a new decoding approach. The well-designed 
physical-layer authentication can ensure a new degree of se¬ 
curity, namely, information-security, thanks to the introduction 
of channel noises during transmission. 


Eor design of a physical layer authentication system, the 
success authentication rate should be balanced with an ac¬ 
ceptable false acceptance rate. It is beneficial for use of long 
tags, as the success authentication rate can be enhanced while 
the false acceptance rate can be reduced. In the meantime, 
numerical results show that even with short tags (of length 
256), the best possible decoding error probability under ML 
decoding can approach 1 while the authentication still work 
well. 
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